Google issues anniversary Android patch - and Qualcomm bugs dominate
The most severe Android bugs in this update are a trio of remote code execution vulnerabilities in Mediaserver.
Google's August patch for Android fixes 22 bugs in the operating system as well as over 80 bugs in component drivers, most of which affect devices with Qualcomm components.
Google has once again bifurcated its monthly bulletin to make it easier for Android device makers to patch common OS bugs quickly, while a second set of fixes addresses flaws in device drivers, kernel issues, bootloaders, and other components that only affect some device models.
See also
Devices that receive the first set of patches should display a security patch level of 2016-08-01 while devices that display security patch level 2016-08-05 contain both driver fixes as well as the first group of patches. Google for its part will be issuing the 2016-08-05 update to supported Nexus devices.
The most severe Android bugs in this update are a trio of remote code execution vulnerabilities in Mediaserver, a problematic component in Android that is getting a major security overhaul in the soon-to-be released Android Nougat.
As with previous bugs affecting Mediaserver, this one can be exploited using a specially-crafted MMS or media file for the browser. The issue affects all versions that Google currently patches, from Android 4.4 to Android 6.0.1.
There are also fixes for 10 high-severity bugs affecting libjhead, Mediaserver, and one in the system clock that could be used to crash a device. The remaining nine core OS bugs are rated as moderate.
Critical bugs in the second, much larger set of patches almost exclusively address issues in Qualcomm components.
One grouping of fixes for Qualcomm components addresses issues that can affect the bootloader, camera driver, character drive, networking, sound driver, and video driver in multiple Nexus devices. Most of these issues were reported over two years ago.
There are also fixes for bugs in the USB driver in all Nexus devices, the MediaTek wi-fi driver for Android One devices, and a bug in an LG bootloader that affects the Nexus 5X. Most of the driver issues in this bulletin affect at least one Nexus model, though two high- and one moderate-severity Qualcomm bugs don't affect any Nexus devices.
Samsung has also published its security bulletin for Google's August patches. Its update, primarily for top-end Galaxy models, fixes 56 core Android bugs, and five bugs in Samsung software. The most severe issue affects Samsung's SideSync app that enables screen-sharing between a PC and Galaxy device.
This month's patch also marks the anniversary of Google's monthly patching regime for Android in response to the first Stagefright bugs that were revealed last July.
As noted recently by Zimperium, the firm that found this bug, Stagefright helped nudge the Android ecosystem into taking security more seriously. It's also partly why US regulators are currently investigating how device makers, carriers, and operating-system vendors orchestrate end-device patching.
While the early monthly security updates focused on newly-discovered bugs in Android, the most recent updates have placed a heavier emphasis on hardware drivers and kernel bugs.